Awareness

Lately, I’ve been thinking about the complexity of securing the software supply chain. If there’s one lesson we’ve learned from incidents like the SolarWinds and Kaseya attacks, it’s that our supply chains are increasingly becoming the weakest link in our cybersecurity defenses. What makes it even more challenging is the regulatory landscape—particularly within the European Union (EU)—which is evolving to place more responsibility on organizations to secure their supply chains. ...

There are endless ways to divide vulnerabilities into different classifications. Each more granular than the other. However, there is also a need to for a simple divide, targeted to the business. That is the problem this post will solve. By using the same categories as in the post Security for Any Development Team I will break down security vulnerabilities into three categories. After reading this post, you will get an insight into why vulnerabilities may arise, and what can be done to minimise the risk. ...

In todays internet based world, phishing has become a great nuisance. We all know about the emails trying to trick the receiver to perform an action that is to the senders gain. This could be to install malware, send money, or something else. Either way, this is just the newest variant of the con (aka confidence game) to trick someone for gains. After reading The Confidence Game by Maria Konnikova I got to thinking. Where goes the line between a con and business? ...

Security Champions is a concept that gets more and more attraction. The function might go under another name, such as Security Masters, but the concepts are the same. In this post I will dig into what this role contains and how it can be applied to improve the security posture of an organisation. My experience with Security Champions is in Research and Development organisations, so my views are anchored in RnD. However I see no reason why Security Champions could not be applied in other kinds of organisations as well. ...

I’ve previously written about the difficulties of keeping up to date with the current privacy policies of products one is using. Not only are they updated regularly, they are also long and complex. Here Mozilla, the non profit organisation behind Firefox among other things, have created Privacy not Included to help. Privacy not included is a tool where experts investigates the privacy of different products, and gives clear information both what is said in the policy and what data it collects (permissions, sensors on the device etc.). In addition to pure privacy related analysis, information about the basic security of the product as well as the use of AI is investigated. Even though Privacy not Included does not contain all products around the world, there are lots of them and some of the results are surprising. Enough so to get me to get stuck just reading the analysis while reading up for this post. And if there is a product missing that you would love to see investigated, there is an easy form to request products to be analysed in the future. ...